Do You Own Your Identity Online?

The European “right to be forgotten” could help protect U.S. citizens against blanket data surveillance.

0

SHARES

(Photo: Maksim Kabakou/Shutterstock)

Facebook announced late last month that it had made a leap forward in its ability to identify faces in the photos published on its platform. Their software could match the same face in two different pictures with an accuracy of 97.25 percent, “closely approaching human-level performance,” according to the company’s report. The human rate of accuracy when identifying faces is 97.53 percent, just a few tenths better than Facebook’s algorithm.

This means that if the social network’s database has your face connected to your name—and, with more than 1.3 billion users and over 250 billion photos as of last year, it likely does—it can scan friends’ photos and tag you. On the surface, the system is routine and convenient: No longer do users have to manually input names when uploading a new photo. But does it strike anyone as strange that Facebook is trumpeting its ability to dissect your photos, as if a security guard is carefully scanning each party pic you post for readable data?

In the Internet era, our personal identities are fractured into many parts. We can be identified by our social media accounts or our phone calls and Web browsing histories, as Edward Snowden’s National Security Agency leaks underlined. And then there are the less mutable aspects of our identities: We can be tracked by the appearance of our faces, as on Facebook. As technology improves, we should be thinking about how surveillance can be applied to these latter qualities as well as the former.

Perhaps our primary concern should not be the collection of data, but how and why it is accessed and how long it survives.

As mundane as that assertion sounds, surveillance of physical data is becoming increasingly important, and not just for providing CSI plot points. Our data—whether physical or virtual, or physical and virtual—identifies us as individuals and is inextricable from our daily lives. Yet even in this time of mass surveillance, the legal structures around how we control our identities are more vague than ever.

The NSA’s own surveillance programs do have certain legal checks in place to protect those whose data it collects. The problem is, those confidential boundaries have never been examined under public scrutiny.

With surveillance programs like PRISM, the agency doesn’t need warrants to collect the data (including browsing history and phone call metadata) of U.S. citizens because it’s too difficult, it was determined, to gather massive amounts of information while filtering out targets from a specific region. Leaked documents (via ProPublica) call this the “limitations on NSA’s ability to filter communications.” If the data the NSA gathers turns out to be from a domestic U.S. citizen and doesn’t contain relevant information, it must be destroyed “at the earliest practicable point in the processing cycle,” though the domestic communications can still be retained for up to five years.

In the past, the Supreme Court has ruled such mass collections unconstitutional, but the U.S. laws governing data collection and surveillance have been loosening over the past decade, as this timeline clearly shows. A legal initiative in Europe, however, would have slowed the PRISM program down and given individuals more control over their data.

The “right to oblivion” (le droit à l’oubli) or “right to be forgotten” is a privacy measure put in place by the European Commission that allows Internet users to choose which of their data survives online. It has been defined as “the right of any individual to see himself or herself represented in a way that is not inconsistent with his/her current personal and social identity.” The law asserts an individual’s right to their online persona: If you tell Facebook to remove certain unflattering photos that you uploaded, the company is legally obligated to delete them.

In Italy, the first landmark right-to-oblivion ruling in 2012 established a precedent to an individual’s right over online information. A well-known figure who had been arrested for a crime sued a major newspaper to take down stories that failed to report their eventual acquittal. After an appeal, the court found that the newspaper had to “devise a suitable method to provide ... an update to the original news,” according to Lexology.

Other cases underline the difficulty of managing online information. A Spanish camping company sued Google Spain because the search engine displayed gruesome images from a gas explosion that had occurred near the campground (the company was not at fault). The company argued that the images were damaging their business, but the case was dismissed on the grounds that as a subsidiary, Google Spain wasn’t liable to be sued. Google faces other cases from individuals requesting the removal of personal data, which is more specifically targeted by the law, rather than business information.

The right-to-oblivion law has been accused of overreach by the Stanford Law Review. It encourages micro-management of online identity and allows abusers of the law to forcibly remove any information they might find simply embarrassing or unflattering from the Internet, as opposed to information that represents an actual overreach by journalists, businesses, or the government. Yet in the context of the NSA, this kind of law could enforce the ephemerality of sensitive data used in identity surveillance and allow individuals to manage the persistence of personal information.

Perhaps our primary concern should not be the collection of data, but how and why it is accessed and how long it survives. The NSA documents show an enforceable length of time that collected information can be held (whether that is followed or not is another question), but private companies and other areas of the government lack the same strict guidelines. Future regulation must cover both the kinds of data that can be gathered and if they can be stored.

The issue of data collection is particularly relevant in the case of Facebook. When the website suggests that you be tagged in a photo, what it actually does is compare a pre-created quantified dataset of your face to the newly uploaded image and measures how closely you match the identifiable subjects. Facebook keeps individual face templates in its databases to use over and over again.

Yet that template, if requisitioned by a group like the NSA, can be used in other contexts to identify an individual; in security camera footage, for example. Though it offers its users a chance to opt-out, Facebook is creating a database of identifiable faces en masse, and is already using them to improve its identification technology.

There is no legal ruling about the protection of face identification in the U.S., but there are other cases that could provide recourse if Facebook’s data were to be unreasonably used to identify a criminal by face recognition, for example. What most closely resembles mass face-data gathering are DNA dragnets, the widespread collection of DNA data to solve crimes like rape. Often, police will collect DNA samples from an entire population—the town the crime took place in, for example. But are they allowed to keep the samples to compare against in future cases?

A 2013 Supreme Court ruling found that DNA evidence can legally be collected from someone who has been arrested in connection with a serious crime, suggesting that even those mistakenly arrested or who are not ultimately found guilty are liable to be entered into a DNA database. Other cases reinforce the ephemerality of passively collected identity data.

In 1995, Michigan resident Blair Shelton was pressured into giving a genetic sample in connection with a rape case. When the testing freed him of suspicion, Shelton successfully sued to have his DNA information destroyed. The Michigan Supreme Court finally ruled, “state law says that police cannot keep DNA records of innocent people.” That edict should also apply to digital records.

How data is kept is just as important, if not more, than how it’s collected—a lesson we can take from these examples and apply to blanket NSA identity surveillance. While opting-out is currently an option on Facebook, it’s certainly not for government agencies.

The utopian promise of the Internet is that it’s a free hub for information, where the more data you give away the more benefit you receive in the form of discounts, targeted ads, or community membership. But rather than giving away information wantonly and waiting for legal structures to come into place, the question in the coming years should be how can we can control our identities more, not less. Laws like the right to be forgotten should provide tools to assert this control.